Topology

Target IP: 10.129.205.158
Challenge Description: N/A.


Reconnaissance

79fffeeefae9b56f58019b4404e3b34d.png
Performing a port scan using the command sudo nmap -sS 10.129.205.158 -p- returns there are two TCP ports open on the target machine: SSH and HTTP, as shown above. I will perform an aggressive port scan against these two TCP ports to identify its services.

14dcb220dd9e39088fc381b8b248e8ae.png
I performed an aggressive port scan using the command sudo nmap -sV -A 10.129.205.158 -p 22,80 and obtained the result shown above. There is an interesting web application on port 80 by the looks of it. I will start enumeration there.

cb99949be3a82cb4c7ec535ca88f8538.png
Running whatweb against the HTTP application using the command whatweb http://10.129.205.158 against the target machine shows the target machine is using the domain name topology.htb. I will insert this hostname inside my /etc/hosts first. I will also perform a subdomain enumeration using ffuf to identify any subdomains too.

fb664b68afbfb4dd4a3438e2fcae3af3.png
I performe a subdomain enumeration with the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" -u http://topology.htb -fs 6767 and successfully identified two subdomains: dev.topology.htb and stats.topology.htb. Time to insert these new hostnames inside my /etc/hosts file.

a0f3f465e6f1be5a23564dd4f356d861.png
Now my /etc/hosts file contains the entry shown above. Time to begin with the enumeration now.


Enumeration

Port 80: HTTP (topology.htb)
188904dabf63b98e0ace178ef798a5dc.png
The webpage above is displayed for this web application. Right away, I notice the web application is mostly static. However, there is also an interactive feature with the name LaTeX Equation Generator under the Software Projects, as shown above. When I hover over this hyperlink, I get the hostname latex.topology.htb. I will insert this new hostname inside my /etc/hosts file too.

Port 80: HTTP (latex.topology.htb)
dede5ec7d80fc1f7158694ae4e045105.png
The interactive feature of the web application is located under this subdomain. The main webpage is shown above. I notice I can insert latex code to generate equations. If the Latex application is vulnerable to command injection, maybe I can obtain an RCE? Hmm... Before attacking the web application, I wish to enumerate further to find more information about it. I tested the web application and it seems to work. Inputting LaTeX code generates it into an image file.

6fcfcbbf600b7acbed3c0a4e2754aff7.png
After searching for payloads online that I can use to perform command execution, I found the working payload to read the /etc/passwd file: $\lstinputlisting{/etc/passwd}$, as shown above. I notice there is a user called vdaisley. Maybe I can read this user's SSH key? However, I had no luck. From previous enumeration, I found dev.topology.htb required me to login. Maybe I can read the .htpasswd instead using the same payload?


Exploitation

27fe827f753a0cda88d5e0d6701a975e.png
And bingo! I successfully read the .htpasswd file contents using the payload $\lstinputlisting{/var/www/dev/.htpasswd}$. Time to copy the password hash to my machine and crack it using john.

cfec46a7701bab89bb88c6a8c3258ef0.png
I copied the password hash $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0 to a file called hash on my machine. Then using the command john hash --wordlist=/usr/share/wordlists/rockyou.txt, I managed to crack it and obtain the password calculus20 as shown above. Now I have the credentials vdaisley:calculus20. Time to access the dev.topology.htb as this new user now.

Port 80: HTTP (dev.topology.htb)
89e50f03694f7a73a41410627c166884.png
I browsed to dev.topology.htb and input the new credentials to sign in, as shown above.

cce447bc85c93b4efb14fdeb37eeda11.png
After logging in successfully, the webpage above was presented to me. I notice there is another button under the LaTeX Equation Generator projects section. Maybe I can obtain more information about the web application itself, like the application version? Hmm...

7c2cd0f44450df7c0ae5d6c00a392378.png
I notice there are interesting files located inside this project directory, as shown above. However, I did not find anything useful. I did find the setup used by the web application, such as the packages. Time to test the credentials against the SSH application on port 22 now.

d85fb33f149a0e4cae131795b2be097f.png
And bingo! I successfully logged in as the user vdaisley via the SSH on port 22, as shown above. Now I have a foothold on the target machine as this user :)


Privilege Escalation

6efc760b2329ec30b4b47cd90984d6d7.png
After some manual enumeration, I decided to transfer pspy64 to the target machine and run it. After executing it, I notice the unusual cronjob shown above. The directory /opt/gnuplot/ seems to contain a few interesting scripts shown above. I find the script getdata.sh at this directory interesting the most. However, I notice I am unable to access this script as its owned by the user root. I notice the cronjob is looking for .plt files inside the /opt/gnuplot directory. And it is being executed by the binary gnuplot as root. Maybe I can create a malicious plt file to execute system commands?

fd14f204a2d73c48c1f4cc31a529d3b1.png
Obtaining a root shell is straight forward. To execute system commands by gnuplot, I used the command system. Using the command echo "system 'chmod u+s /bin/bash'" > /opt/gnuplot/shell.plt, I managed to elevate my privileges to a root user for /bin/bash binary. After waiting a minute, I executed the command /bin/bash -p to spawn a root shell as shown above. GG.


Flags

fc6df8b83b48f6989e6c764e8387bd13.png
The two flags are shown above.